The 'Heartbleed' problem and how it affects (or doesn't affect) Pegasus Mail/Mercury

The 'Heartbleed' problem and how it affects (or doesn't affect) Pegasus Mail/Mercury

Some of you may have read about a recently-discovered vulnerability in a product called OpenSSL that is being called the "Heartbleed bug". A good summary of this problem can be read on Brian Krebs' security blog, here:

Builds of Pegasus Mail earlier than v4.7 did not use OpenSSL and are completely immune to this bug.

Pegasus Mail v4.70 uses an affected version of OpenSSL, but the problem is not serious for client implementations - only servers are seriously affected by this problem. Pegasus Mail users can continue to run the current v4.70 build of Pegasus Mail to connect to their normal e-mail servers without any practical risk of being affected by this vulnerability. That said, I have already prepared a patched version of OpenSSL that is immune to the Heartbleed bug, and will be making it available for download as soon as the test team has finished verifying that everything still works normally with it. Pegasus Mail v4.70 users should install the patched version when it becomes available as a simple matter of prudence. Pegasus Mail v4.71, which will be released in the next few weeks, will include the patched build of OpenSSL as a matter of course.

Current builds of Mercury (anything up to and including v4.70) do not use OpenSSL and are unaffected by this problem. Mercury/32 v4.8, which is in the final stages of development at present, *does* use OpenSSL, but will be released with the patched build of OpenSSL from day one.

So, the long and the short of it is that if you're a current user of Pegasus Mail or Mercury, then the Heartbleed bug is not a matter of significant concern to you.